ImageMagick, Heap Buffer Over-Write, GHSA-jqq5-8px3-9m6m (Moderate)

Listen to this Post

The original vulnerability, tracked as GHSA-5592-p365-24xh (CVE-2026-40169) , was a heap buffer overflow (write) in the YAML and JSON encoders of ImageMagick. This flaw allowed a crafted image to cause an out‑of‑bounds heap write during encoding, leading to a crash or potentially arbitrary code execution. The issue was fixed in ImageMagick 7.1.2‑19 and Magick.NET 14.12.0. However, the applied fix was incorrect and introduced a new vulnerability: a heap buffer over‑write of a single byte. The incorrect fix modified the bounds checking logic in the encoder’s memory management routines. Under specific conditions, the logic fails to account for a single byte when writing output, causing the encoder to write one byte past the allocated heap buffer. This single‑byte over‑write can corrupt adjacent heap metadata or program data, potentially leading to a denial of service (application crash) or, in advanced scenarios, arbitrary code execution. The vulnerability resides in the `WriteYAMLImage` and `WriteJSONImage` functions, where the size of the output buffer is miscalculated by one byte. An attacker can craft a malicious image that, when processed by an affected ImageMagick version during YAML or JSON output generation, triggers this single‑byte heap over‑write. The issue affects all Magick.NET packages below version 14.12.0. The incorrect fix was published on May 16, 2026, and updated on May 21, 2026. No CVE ID has yet been assigned to this specific incorrect‑fix vulnerability, so it is tracked under GitHub Security Advisory GHSA-jqq5-8px3-9m6m.

dailycve form:

Platform: ImageMagick/Magick.NET
Version: < 14.12.0
Vulnerability: Single‑byte heap over‑write
Severity: Moderate
Date: 2026-05-16

Prediction: 2026-06-15

Analytics under heading What Undercode Say:

Check vulnerable versions (bash):

Check Magick.NET version in a .csproj file
grep -E 'PackageReference Include="Magick.NET' .csproj
Check ImageMagick version
convert --version

Trigger the vulnerability (conceptual C code snippet):

// WriteYAMLImage() – vulnerable bounds check
if (offset + length > buffer_size) {
// Original fix: reallocate buffer + 1
// Incorrect fix: reallocate buffer only
// Result: writes one byte out of bounds when length == 1
write_byte(buffer + offset + length); // Off‑by‑one
}

Exploit:

A remote attacker can supply a specially crafted image file (e.g., a YAML or JSON output request) that, when processed by a vulnerable ImageMagick version, triggers the single‑byte heap over‑write. The over‑write can corrupt adjacent heap structures, leading to a denial of service (application crash). In advanced scenarios, the attacker might gain control of program flow, enabling arbitrary code execution.

Protection from this CVE

  • Upgrade to Magick.NET ≥ 14.12.0 (or ImageMagick ≥ 7.1.2-19).
  • If upgrading is not immediate, disable the YAML and JSON encoders in your application configuration (e.g., remove YAML/JSON output formats).
  • Validate all image inputs from untrusted sources before passing them to ImageMagick.
  • Use application sandboxing (e.g., Docker, containerization) to limit the impact of a successful exploit.

Impact

  • Denial of service – the application may crash when processing a malicious image.
  • Potential arbitrary code execution – a single‑byte heap over‑write can be chained with other memory corruption techniques to achieve code execution, though this is complex.
  • Data corruption – the corrupted heap metadata might lead to unexpected behaviour or data loss.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top